Canadian Underwriter

Can cyber coverage recover from past high loss ratios?

March 20, 2023   by Jason Contant

Dollar vanishing to represent loss ratios.

Print this page Share

The Canadian cyber market in general has suffered some “pretty bad loss ratios in the last couple of years,” said Jack Bottomley, senior consultant for cybersecurity with KPMG in Canada.

Not long ago, the industry saw its cyber loss ratio top 400%, meaning cyber insurers on average paid more than $4 for every $1 received in premiums. Those first-quarter numbers from two years ago improved sharply to 108.4% in 2022 Q1, per the Office of the Superintendent of Financial Institutions.

But cyber liability insurers are still reporting unprofitable loss ratios, due in part to the sophistication of threat actors, extortion threats and the large costs associated with handling cyber incidents. Inflation also has been a factor.

“We also need to look at the underwriting of the cyber insurance market [before] the ransomware blowout,” Bottomley added. “It was a race to the bottom for premiums and retentions. You could get $5 million worth of liability for $25,000 gross [premium] — not that sustainable if you think about it.”

At the same time, there was a race to the top for coverage.

Coverage became broader, premiums got cheaper, and the underwriting process lacked a technical approach, he said. Plus, capacity was a challenge.

“It’s going to be difficult and we’re going to see more rate,” said George Longo, president and CEO of Excess Underwriting.

Kevin Neiles, Gallagher’s president of western Canada and chief markets officer, agreed cyber’s been a “really, really tough market,” with a reduction in the number of players and a real demand by insurers for mitigation factors such as multi-factor authentication.

It’s been challenging to find capacity, get timely renewal terms, and get client confirmations on the different protocols they need to put in place. “This has been, in particular, in the last four quarters,” Neiles said last November.

To cope with the challenging market, some insurers are requiring clients to become self-insurers (or co-insurers at the very least) when it comes to ransomware. For example, a client may be on the hook for 50% of the cost of a ransomware attack. In other cases, the market has reacted to exclude certain industries from coverage — by and large, healthcare and the public sector, said Bottomley.

More clients are also considering self-insurance. “We’re still seeing 25%, 50% increases even after the big corrections we saw last year,” Bottomley reported in late 2022. “Is there a way [clients] can…maybe even spend more money on the mitigation that’s actually going to help prevent, detect and respond to a cyber incident?”

Clients should view coverage as part of a multifaceted approach, said Neal Jardine, global cyber risk intelligence and claims director with Boxx Insurance. “You need to make sure you have the security controls, so you’re not just relying on the coverage.”

Many Canadian insurers have responded to high loss ratios and massive ransomware claims by significantly restricting coverage or pulling out of the market completely, said Lindsey Nelson, cyber development leader at CFC Underwriting.

The underling question, though, is whether recent changes represent a corrected market or a hard market.

“We are quite passionate about the fact it’s a corrected market rather than a hard market,” said Nelson. “Calling it [a hard market] insinuates it’s a cyclical market and rates will eventually go down one day, or suggests the price was incorrect before. The reality is, we were pricing for the existing exposure back in that time.

“In terms of the market cycles, the types of claims cyber policyholders will have changes every single year. It can’t be cyclical. Rates can’t go down as a result of [current protections] because the criminals are getting smarter and businesses are increasingly more vulnerable as a result.”

Bottomley added recent pricing changes should be seen as “a correction — something that needed to happen to ensure the markets remain sustainable…before ransomware, the cyber insurance market maybe wasn’t doing everything it could to manage its own performance.”


This article is excerpted from on that appeared in the February-March edition of Canadian Underwriter. Feature image by